Skip to content
Alchemy
GitHubXDiscord

ClientVpnEndpoint

The ClientVpnEndpoint resource lets you create and manage AWS EC2 ClientVpnEndpoints for providing secure access to your AWS resources.

Minimal Example

Section titled “Minimal Example”

Create a basic ClientVpnEndpoint with required properties and some common optional configurations:

import AWS from "alchemy/aws/control";


const basicClientVpnEndpoint = await AWS.EC2.ClientVpnEndpoint("BasicClientVpn", {
  ClientCidrBlock: "10.0.0.0/16",
  AuthenticationOptions: [
    {
      Type: "directory-service-authentication",
      ActiveDirectory: {
        DirectoryId: "d-1234567890"
      }
    }
  ],
  ServerCertificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-klmnopqrstuv",
  ConnectionLogOptions: {
    Enabled: true,
    CloudWatchLogGroup: "vpn-connection-logs",
    CloudWatchLogStream: "vpn-access-logs"
  },
  DnsServers: ["8.8.8.8", "8.8.4.4"],
  TagSpecifications: [{
    ResourceType: "client-vpn-endpoint",
    Tags: [{
      Key: "Environment",
      Value: "Production"
    }]
  }]
});

Advanced Configuration

Section titled “Advanced Configuration”

Configure a ClientVpnEndpoint with enhanced security options and session timeout settings:

const advancedClientVpnEndpoint = await AWS.EC2.ClientVpnEndpoint("AdvancedClientVpn", {
  ClientCidrBlock: "10.1.0.0/16",
  AuthenticationOptions: [
    {
      Type: "federated-authentication",
      FederatedAuthentication: {
        SAML: {
          Idp: "https://idp.example.com/saml",
          Name: "Example SAML IdP"
        }
      }
    }
  ],
  ServerCertificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-klmnopqrstuv",
  ConnectionLogOptions: {
    Enabled: true,
    CloudWatchLogGroup: "vpn-connection-logs",
    CloudWatchLogStream: "vpn-access-logs"
  },
  SessionTimeoutHours: 1,
  DisconnectOnSessionTimeout: true,
  SplitTunnel: true,
  ClientRouteEnforcementOptions: {
    Enforce: true
  }
});

Custom Client Login Banner

Section titled “Custom Client Login Banner”

Create a ClientVpnEndpoint that includes a custom client login banner:

const clientVpnWithBanner = await AWS.EC2.ClientVpnEndpoint("ClientVpnWithBanner", {
  ClientCidrBlock: "10.2.0.0/16",
  AuthenticationOptions: [
    {
      Type: "certificate-authentication",
      MutualAuthentication: {
        ClientRootCertificateChainArn: "arn:aws:acm:us-east-1:123456789012:certificate/abcdef12-3456-78ab-cdef-ghijklmnopqr"
      }
    }
  ],
  ServerCertificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-klmnopqrstuv",
  ConnectionLogOptions: {
    Enabled: true,
    CloudWatchLogGroup: "vpn-connection-logs",
    CloudWatchLogStream: "vpn-access-logs"
  },
  ClientLoginBannerOptions: {
    BannerText: "Welcome to the secure VPN. Please adhere to company policies.",
    Enabled: true
  }
});

DNS Server Configuration

Section titled “DNS Server Configuration”

Set up a ClientVpnEndpoint with custom DNS servers:

const dnsConfiguredClientVpnEndpoint = await AWS.EC2.ClientVpnEndpoint("DnsConfiguredClientVpn", {
  ClientCidrBlock: "10.3.0.0/16",
  AuthenticationOptions: [{
    Type: "directory-service-authentication",
    ActiveDirectory: {
      DirectoryId: "d-1234567890"
    }
  }],
  ServerCertificateArn: "arn:aws:acm:us-east-1:123456789012:certificate/abcd1234-5678-90ef-ghij-klmnopqrstuv",
  ConnectionLogOptions: {
    Enabled: true,
    CloudWatchLogGroup: "vpn-connection-logs",
    CloudWatchLogStream: "vpn-access-logs"
  },
  DnsServers: ["1.1.1.1", "1.0.0.1"],
  SplitTunnel: false
});